Your leadership wants controls in place for immediate action on any OverWatch detections. What should you do to ensure the host is contained quickly and notifies the appropriate staff?
A.
Create a Fusion SOAR workflow using the OverWatch playbook to contain the host and email the SOC team
B.
Create a Fusion SOAR workflow to contain the host and email the OverWatch team
C.
Create a Fusion SOAR workflow to trigger on an OverWatch detection and set it to block the detection
D.
Create a Fusion SOAR workflow to create a detection for OverWatch and email the SOC team
The correct action is to create a Fusion SOAR workflow using the OverWatch remediation and prioritization playbook to contain the host and notify the SOC team. Fusion SOAR workflows automate response actions based on Falcon events. OverWatch detections are high-value human-hunted detections, and a predefined OverWatch playbook exists to support fast remediation actions such as containment, email notification, and related response steps. Emailing the OverWatch team is not the customer’s responsibility; the correct internal recipients are typically the SOC or incident response staff. Blocking “the detection” is not the correct workflow model because detections are records of observed behavior, while containment is the host-level response. Creating a detection is also incorrect because OverWatch already generated the detection.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit